This is a guide on how to configure an Arch Linux installation to authenticate against an LDAP directory. This LDAP directory can be either local (installed on the same computer) or network (e.g. in a lab environment where central authentication is desired).

−

What you need to install, configure, and know, to get LDAP RFC 2251 Authentication working on Arch.

+

The guide is divided into two parts. The first part deals with how to setup an [[OpenLDAP]] server that hosts the authentication directory. The second part deals with how to setup the NSS and PAM modules that are required for the authentication scheme to work on the client computers. If you just want to configure Arch to authenticate against an already existing LDAP server, you can skip to the second part.

−

Steps:

+

=== NSS and PAM ===

+

NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. For example, {{ic|/etc/passwd}} is a {{ic|file}} type source for the {{ic|passwd}} database.

−

# Install OpenLDAP

+

PAM (which stands for Pluggable Authentication Module) is a mechanism used by Linux (and most *nixes) to extend its authentication schemes based on different plugins.

−

# Design LDAP Directory

−

# Configure and Fill OpenLDAP

−

# Configure NSS

−

# Configure PAM

−

==== References ====

+

So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the {{ic|passwd}}, {{ic|shadow}} and other configuration databases and then configure PAM to use these sources to authenticate it's users.

−

http://aqua.subnet.at/~max/ldap/

+

== LDAP Server Setup ==

−

==== For the newbies ====

+

=== Installation ===

−

If you are totally new to those concepts, here is an good introduction that is easy to understand and that will get you started, even if you are new to everything LDAP.

+

You can read about installation and basic configuration in the [[OpenLDAP]] article. After you have completed that, return here.

−

http://www.brennan.id.au/20-Shared_Address_Book_LDAP.html

+

=== Set up access controls ===

−

=== Install OpenLDAP ===

+

To make sure that no-one can read the (encrypted) passwords from the LDAP server, but a user can edit their own password, add the following to {{ic|/etc/openldap/slapd.conf}} and restart {{ic|slapd.service}} afterwards:

−

This part is easy:

+

{{hc|slapd.conf|2=

−

pacman -S openldap

+

access to attrs=userPassword

+

by self write

+

by anonymous auth

+

by * none

−

The openldap package basically contains two things: The LDAP server (slapd) and the LDAP client. You will probably want to run the server on your computer. After you design the directory, the server will be able to provide authentication services for LDAP clients. It is quite likely that you will run services requiring the LDAP authentication on that very computer, in which case the LDAP client will query the LDAP server from the same package.

+

access to *

+

by self write

+

by * read

+

}}

−

==== Configure OpenLDAP ====

+

=== Populate LDAP Tree with Base Data ===

−

===== The server (slapd) =====

+

Create a temporarily file called {{ic|base.ldif}} with the following text.

+

{{note|If you have a different domain name then alter "example" and "org" to your needs}}

−

You can start the server like any other daemon, by executing

+

{{hc|base.ldif|<nowiki>

−

/etc/rc.d/slapd start

+

# example.org

−

+

dn: dc=example,dc=org

−

There are two config files you may have to edit, though:

+

dc: example

−

+

o: Example Organization

−

====== /etc/openldap/slapd.conf ======

−

You can define the access rules here, the root "user" etc.

−

−

If you want to use SSL, you have to specify a path to your certificates here.

−

−

====== /etc/conf.d/slapd ======

−

Very important, you define here on which port the server should listen and if you want to use SSL, you will want to use the ldaps:// URI instead of the default ldap://

−

You can also specify additional slapd options here.

−

−

===== The client =====

−

−

The client is usually not such a big deal, just keep in mind that your apps that require LDAP auth use it, so if something goes wrong with LDAP, don't waste your time with the app, start debugging the client instead.

−

−

The client config file is located at /etc/openldap/ldap.conf

−

It is actually very simple.

−

−

If you decide to use SSL:

−

* The protocol (ldap or ldaps) in the URI entry has to conform with the slapd configuration

−

* If you decide to use self-signed certificates, you have to add them to TLS_CACERT

−

−

==== Test your new OpenLDAP installation ====

−

−

This is easy, just run the command below:

−

ldapsearch -x -D <root dn from slapd.conf> -W

−

−

You should get at least some output, containing the line

−

result: 0 Success // Could anyone actually confirm this? I don't have a clean LDAP directory to test this with it...

−

Just for the basic insight, the -x option means "use simple authentication", you specify the dn you want to bind to with the -D switch and -W means "prompt for password"

−

−

=== Design LDAP Directory ===

−

−

This all depends on what organization your network/computer is modeling.

>>> Actually I have moved the /etc/nss_ldap.conf to /etc/ldap.conf. /etc/openldap/ldap.conf and /etc/nss_ldap.conf are only sym-links to /etc/ldap.conf. Works fine for me.

+

=== NSS Configuration ===

+

NSS is a system facility which manages different sources as configuration databases. For example, {{ic|/etc/passwd}} is a {{ic|file}} type source for the {{ic|passwd}} database, which stores the user accounts.

−

host yourdomain.com

+

Edit {{ic|/etc/nsswitch.conf}} which is the central configuration file for NSS. It tells NSS which sources to use for which system databases. We need to add the {{ic|ldap}} directive to the {{ic|passwd}}, {{ic|group}} and {{ic|shadow}} databases, so be sure your file looks like this:

You now should see your LDAP users when running {{ic|getent passwd}} on the client.

−

''/etc/openldap/slapd.conf''

+

==== Name Service Cache Daemon ====

−

include /etc/openldap/schema/core.schema

+

You can optionally run NSCD. This is a daemon that NSS uses to cache lookups and queries for network backends. This way you can login when the LDAP server is down, it will also reduce load on the LDAP server.

−

include /etc/openldap/schema/cosine.schema

−

include /etc/openldap/schema/inetorgperson.schema

−

include /etc/openldap/schema/nis.schema

−

include /etc/openldap/schema/courier.schema

−

allow bind_v2

−

password-hash {md5}

−

pidfile /var/run/slapd.pid

−

argsfile /var/run/slapd.args

−

database bdb

−

suffix "dc=yourdomain,dc=com"

−

rootdn "cn=Manager,dc=yourdomain,dc=com"

−

rootpw password (Use slappasswd -h {MD5} -s passwordstring)

−

directory /var/lib/openldap/openldap-data

−

index objectClass eq

−

index uid eq

−

=== Configure NSS ===

+

Start {{ic|nscd.service}} using systemd.

−

'' /etc/nsswitch.conf''

+

{{Note|It is recommended to stop the NSCD when troubleshooting because it may mask problems by serving cached queries.}}

−

passwd: files

−

group: files

−

hosts: dns

−

services: files

−

networks: files

−

protocols: files

−

rpc: files

−

ethers: files

−

netmasks: files

−

bootparams: files

−

publickey: files

−

automount: files

−

aliases: files

−

sendmailvars: files

−

netgroup: file

−

''/etc/nsswitch.ldap''

+

=== PAM Configuration ===

−

passwd: files ldap

+

The basic rule of thumb for PAM configuration is to include {{ic|pam_ldap.so}} wherever {{ic|pam_unix.so}} is included. Arch moving to {{pkg|pambase}} has helped decrease the amount of edits required. For more details about configuring pam, the [https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/PAM_Configuration_Files.html RedHat Documentation] is quite good. You might also want the upstream documentation for [http://arthurdejong.org/nss-pam-ldapd nss-pam-ldapd].

−

group: files ldap

−

hosts: dns ldap

−

services: ldap [NOTFOUND=return] files

−

networks: ldap [NOTFOUND=return] files

−

protocols: ldap [NOTFOUND=return] files

−

rpc: ldap [NOTFOUND=return] files

−

ethers: ldap [NOTFOUND=return] files

−

netmasks: files

−

bootparams: files

−

publickey: files

−

automount: files

−

sendmailvars: files

−

netgroup: ldap [NOTFOUND=return] files

+

{{Tip|If you want to prevent UID clashes with local users on your system, you might want to include {{ic|minimum_uid&#61;10000}} or similar on the end of the {{ic|pam_ldap.so}} lines. You'll have to make sure the LDAP server returns uidNumber fields that match the restriction.}}

−

''/etc/rc.sysinit''

+

{{Note|Each facility (auth, session, password, account) forms a separate chain and the order matters. Sufficient lines will sometimes "short circuit" and skip the rest of the section, so the rule of thumb for ''auth'', ''password'', and ''account'' is ''sufficient'' lines before ''required'', but after required lines for the ''session'' section; ''optional'' can almost always go at the end. When adding your {{ic|pam_ldap.so}} lines, don't change the relative order of the other lines without good reason! Simply insert LDAP within the chain.}}

−

'''Be sure to modify this file before you reboot or your machine will hang on "Starting UDev Daemon"'''

+

First edit {{ic|/etc/pam.d/system-auth}}. This file is included in most of the other files in {{ic|pam.d}}, so changes here propagate nicely. Updates to {{pkg|pambase}} may change this file.

−

Add this before UDev starts

+

Make {{ic|pam_ldap.so}} sufficient at the top of each section, except in the ''session'' section, where we make it optional.

−

cp /etc/nsswitch.file /etc/nsswitch.conf

+

{{hc|/etc/pam.d/system-auth|

+

'''auth sufficient pam_ldap.so'''

+

auth required pam_unix.so try_first_pass nullok

+

auth optional pam_permit.so

+

auth required pam_env.so

−

And this after UDev is started

+

'''account sufficient pam_ldap.so'''

−

cp /etc/nsswitch.ldap /etc/nsswitch.conf

+

account required pam_unix.so

+

account optional pam_permit.so

+

account required pam_time.so

−

Hopefully there will be a fix later.

+

'''password sufficient pam_ldap.so'''

+

password required pam_unix.so try_first_pass nullok sha512 shadow

+

password optional pam_permit.so

−

udev / ldap boot update ->

+

session required pam_limits.so

−

please see: http://wiki.archlinux.org/index.php/Udev-ldap_workaround

+

session required pam_unix.so

−

</pre>

+

'''session optional pam_ldap.so'''

+

session optional pam_permit.so

+

}}

−

'''Alternative Fix'''

+

Then edit both {{ic|/etc/pam.d/su}} and {{ic|/etc/pam.d/su-l}} identically. The {{ic|su-l}} file is used when the user runs {{ic|su --login}}.

−

If you don't require LDAP to discover your host is to have the nsswitch.conf read

+

Make {{ic|pam_ldap.so}} sufficient at the top of each section, and add {{ic|use_first_pass}} to {{ic|pam_unix}} in the ''auth'' section.

−

hosts: files dns

+

{{hc|/etc/pam.d/su|

−

this will bypass the need to modify ''/etc/rc.sysinit'' and not hang on boot

+

#%PAM-1.0

+

'''auth sufficient pam_ldap.so'''

+

auth sufficient pam_rootok.so

+

# Uncomment the following line to implicitly trust users in the "wheel" group.

+

#auth sufficient pam_wheel.so trust use_uid

+

# Uncomment the following line to require a user to be in the "wheel" group.

+

#auth required pam_wheel.so use_uid

+

auth required pam_unix.so '''use_first_pass'''

+

'''account sufficient pam_ldap.so'''

+

account required pam_unix.so

+

'''session sufficient pam_ldap.so'''

+

session required pam_unix.so

+

}}

−

=== Configure PAM ===

+

To enable users to edit their password, edit {{ic|/etc/pam.d/passwd}}:

−

This is what my files look like. It may not be exactly right, but it works on my systems.

If you want home folders to be created at login (eg: if you aren't using NFS to store home folders), edit {{ic|/etc/pam.d/system-login}} and add {{ic|pam_mkhomedir.so}} to the ''session'' section above any "sufficient" items. This will cause home folder creation when logging in at a tty, from ssh, xdm, kdm, gdm, etc. You might choose to edit additional files in the same way, such as {{ic|/etc/pam.d/su}} and {{ic|/etc/pam.d/su-l}} to enable it for {{ic|su}} and {{ic|su --login}}. If you don't want to do this for ssh logins, edit {{ic|system-local-login}} instead of {{ic|system-login}}, etc.

Note: pam_rootok.so must come before pam_ldap.so, otherwise startup scripts like '/etc/rc.d/postgres' ask for a password

+

==== Enable sudo ====

−

''/etc/pam.d/sudo''

+

To enable sudo from an LDAP user, edit {{ic|/etc/pam.d/sudo}}. You'll also need to modify sudoers accordingly.

−

auth sufficient pam_ldap.so

+

{{hc|/etc/pam.d/sudo|

−

auth required pam_unix.so use_first_pass

+

#%PAM-1.0

−

auth required pam_nologin.so

+

'''auth sufficient pam_ldap.so'''

+

auth required pam_unix.so '''try_first_pass'''

+

auth required pam_nologin.so

+

}}

−

''/etc/pam.d/sshd''

+

== Resources ==

−

auth required pam_nologin.so

+

[http://arthurdejong.org/nss-pam-ldapd/setup The official page of the nss-pam-ldapd packet]

−

auth sufficient pam_ldap.so

−

auth required pam_env.so

−

auth required pam_unix.so use_first_pass

−

account sufficient pam_ldap.so

−

account required pam_unix.so

−

account required pam_time.so

−

password required pam_ldap.so

−

password required pam_unix.so

−

session required pam_mkhomedir.so skel=/etc/skel/ umask=0022

−

session required pam_unix_session.so

−

session sufficient pam_ldap.so

−

session required pam_limits.so

−

=== Troubleshooting ===

+

The PAM and NSS page at the Debian Wiki [http://wiki.debian.org/LDAP/NSS 1] [http://wiki.debian.org/LDAP/PAM 2]

−

After migrating to LDAP or updating an LDAP-backed system udevd can hang at boot at the message "Starting UDev Daemon". This is usually caused by udevd trying to look up a name from LDAP but failing, because the network is not up yet. The solution is to ensure that all system group names are present locally.

+

[http://www.fatofthelan.com/articles/articles.php?pid=24 Using LDAP for single authentication]

−

Extract the group names referenced in udev rules and the group names actually present on the system:

Introduction and Concepts

This is a guide on how to configure an Arch Linux installation to authenticate against an LDAP directory. This LDAP directory can be either local (installed on the same computer) or network (e.g. in a lab environment where central authentication is desired).

The guide is divided into two parts. The first part deals with how to setup an OpenLDAP server that hosts the authentication directory. The second part deals with how to setup the NSS and PAM modules that are required for the authentication scheme to work on the client computers. If you just want to configure Arch to authenticate against an already existing LDAP server, you can skip to the second part.

NSS and PAM

NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. For example, /etc/passwd is a file type source for the passwd database.

PAM (which stands for Pluggable Authentication Module) is a mechanism used by Linux (and most *nixes) to extend its authentication schemes based on different plugins.

So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the passwd, shadow and other configuration databases and then configure PAM to use these sources to authenticate it's users.

LDAP Server Setup

Installation

You can read about installation and basic configuration in the OpenLDAP article. After you have completed that, return here.

Set up access controls

To make sure that no-one can read the (encrypted) passwords from the LDAP server, but a user can edit their own password, add the following to /etc/openldap/slapd.conf and restart slapd.service afterwards:

slapd.conf

access to attrs=userPassword
by self write
by anonymous auth
by * none
access to *
by self write
by * read

Populate LDAP Tree with Base Data

Create a temporarily file called base.ldif with the following text.

Note: If you have a different domain name then alter "example" and "org" to your needs

Client Setup

NSS Configuration

NSS is a system facility which manages different sources as configuration databases. For example, /etc/passwd is a file type source for the passwd database, which stores the user accounts.

Edit /etc/nsswitch.conf which is the central configuration file for NSS. It tells NSS which sources to use for which system databases. We need to add the ldap directive to the passwd, group and shadow databases, so be sure your file looks like this:

You now should see your LDAP users when running getent passwd on the client.

Name Service Cache Daemon

You can optionally run NSCD. This is a daemon that NSS uses to cache lookups and queries for network backends. This way you can login when the LDAP server is down, it will also reduce load on the LDAP server.

Start nscd.service using systemd.

Note: It is recommended to stop the NSCD when troubleshooting because it may mask problems by serving cached queries.

PAM Configuration

The basic rule of thumb for PAM configuration is to include pam_ldap.so wherever pam_unix.so is included. Arch moving to pambase has helped decrease the amount of edits required. For more details about configuring pam, the RedHat Documentation is quite good. You might also want the upstream documentation for nss-pam-ldapd.

Tip: If you want to prevent UID clashes with local users on your system, you might want to include minimum_uid=10000 or similar on the end of the pam_ldap.so lines. You'll have to make sure the LDAP server returns uidNumber fields that match the restriction.

Note: Each facility (auth, session, password, account) forms a separate chain and the order matters. Sufficient lines will sometimes "short circuit" and skip the rest of the section, so the rule of thumb for auth, password, and account is sufficient lines before required, but after required lines for the session section; optional can almost always go at the end. When adding your pam_ldap.so lines, don't change the relative order of the other lines without good reason! Simply insert LDAP within the chain.

First edit /etc/pam.d/system-auth. This file is included in most of the other files in pam.d, so changes here propagate nicely. Updates to pambase may change this file.

Make pam_ldap.so sufficient at the top of each section, except in the session section, where we make it optional.

Create home folders at login

If you want home folders to be created at login (eg: if you aren't using NFS to store home folders), edit /etc/pam.d/system-login and add pam_mkhomedir.so to the session section above any "sufficient" items. This will cause home folder creation when logging in at a tty, from ssh, xdm, kdm, gdm, etc. You might choose to edit additional files in the same way, such as /etc/pam.d/su and /etc/pam.d/su-l to enable it for su and su --login. If you don't want to do this for ssh logins, edit system-local-login instead of system-login, etc.